Fix reading past end of array. (#1468)

dlech · web-flow · commit 7bc7df630747 · 2025-01-28T15:22:44.000-08:00
Fix a bug in the `NonDelegatingGetIids()` implementation that could
cause reading past the end of the returned array.

`std::copy()` returns a pointer to the next element in the array after
the last element copied. The output argument `*array` was being assinged
to this pointer after the first copy, causing it to no longer point to
the beginning of the array. If the caller tries to access the full array
after this, it will read past the end of the array and will miss the
first elements of the array.

To fix, introduce a new temporary `_array` variable to pass the result
of the first copy as the starting point of the second copy. Also add a
test that failed before the fix and passes after the fix.
diff --git a/strings/base_implements.h b/strings/base_implements.h
@@ -1033,8 +1033,8 @@ namespace winrt::impl
                     {
                         return error_bad_alloc;
                     }
-                    *array = std::copy(local_iids.second, local_iids.second + local_count, *array);
-                    std::copy(inner_iids.cbegin(), inner_iids.cend(), *array);
+                    auto next = std::copy(local_iids.second, local_iids.second + local_count, *array);
+                    std::copy(inner_iids.cbegin(), inner_iids.cend(), next);
                 }
                 else
                 {
diff --git a/test/old_tests/UnitTests/Composable.cpp b/test/old_tests/UnitTests/Composable.cpp
@@ -167,4 +167,20 @@ TEST_CASE("Composable conversions")
 {
     TestCalls(*make_self<Foo>());
     TestCalls(*make_self<Bar>());
-}
+}
+
+TEST_CASE("Composable get_interfaces")
+{
+    struct Foo : Composable::BaseT<Foo, IStringable> {
+        hstring ToString() const { return L"Foo"; }
+    };
+
+    auto obj = make<Foo>();
+    auto iids = winrt::get_interfaces(obj);
+    // BaseOverrides IID gets repeated twice. There are only 4 unique interfaces.
+    REQUIRE(iids.size() == 5);
+    REQUIRE(std::find(iids.begin(), iids.end(), guid_of<IBase>()) != iids.end());
+    REQUIRE(std::find(iids.begin(), iids.end(), guid_of<IBaseProtected>()) != iids.end());
+    REQUIRE(std::find(iids.begin(), iids.end(), guid_of<IBaseOverrides>()) != iids.end());
+    REQUIRE(std::find(iids.begin(), iids.end(), guid_of<IStringable>()) != iids.end());
+}

Original file line number	Diff line number	Diff line change
`@@ -1033,8 +1033,8 @@ namespace winrt::impl`
`1033`	`1033`	`{`
`1034`	`1034`	`return error_bad_alloc;`
`1035`	`1035`	`}`
`1036`		`- array = std::copy(local_iids.second, local_iids.second + local_count, array);`
`1037`		`- std::copy(inner_iids.cbegin(), inner_iids.cend(), *array);`
	`1036`	`+ auto next = std::copy(local_iids.second, local_iids.second + local_count, *array);`
	`1037`	`+ std::copy(inner_iids.cbegin(), inner_iids.cend(), next);`
`1038`	`1038`	`}`
`1039`	`1039`	`else`
`1040`	`1040`	`{`